As threats and responsibilities have expanded, the role of SIEM solutions has morphed into one of the greatest assets an analyst has, becoming the Swiss army knife of incident response and orchestration. Security analysts use SIEM systems for advanced analytics, including user and behavior analysis, real-time monitoring, and data and application monitoring.

With this expanding role, SIEM architecture has evolved from a linear, sequential log management model that focuses on what happened in which order to a hub-and-spoke model, where SIEM tools aggregate and correlate data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).

An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into day-to-day processes. A central role for modern SIEM tools is to provide centralized and actionable dashboards that help integrate threat data to keep operations and management apprised of evolving events and activities. By linking threat management with other systems for managing risk and compliance, security operations center (SOC) teams can better manage overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency into security operations. Centralized functions reduce the burden of manual data sharing, auditing, and reporting throughout.

The ACE performs rules-based correlation, but it also performs the important task of relieving receivers from having to do correlation. The ACE also performs risk, deviation, and historical correlation.